What do you think is the difference between your company and your ISO certified competitors? Is it a one-page certificate? A checkbox on an RFP? More security? The answer is of course all of the above, but so very much more. Only when you go through the ISO implementation process and come out the other end will you truly appreciate the transformative effect it can have on your business.
This article attempts to highlight some of the many ways your ISO certified competitors are better than you, assuming most other things are equal.
They're more self aware
One of the first things you will do when implementing ISO is establish the context of your organisation. Using tools such as SWOT analysis, PESTEL analysis, Life Cycle Analysis or Back-of-an-Envelope analysis, you undertake a process of getting to know yourself. You figure out what internal and external issues may impact your company and the services you provide, whether you're producing a physical product for another business or providing a public-facing SaaS solution to thousands of customers.
It's a process that helps you discover who all your stakeholders are, and what their real needs and concerns are. You determine your strategic direction, your organisation's values and strategic focus areas. You do all of this as a team, and the end result is a company that is much more self aware and confident; a company that knows its place and role in the world and where it is headed.
They're more process driven
ISO management system standards are essentially a playbook for how to do things according to international best practice. Distil this down a little further and you'll find that the standards are comprised of a set of repeatable processes that are designed to get things done, the right way, and keep everyone in check.
Companies usually become more process driven as they mature, but you don't need to wait until you're large or old to start this transition. The benefits of becoming a more process driven organisation are wide and far reaching. Knowledge is institutionalised, key business processes become self-governing and are easily replicable. You will be able to adapt and implement change with less disruption and will better manage complexity as you grow.
They're more secure
This goes without saying. If your competitor is ISO 27001 certified for information security and you're not, then they are more secure, period. You may think otherwise but it's only when you start the process of implementing ISO do you realise that security is much more than firewalls and pen tests.
It's about managing risk. It's about how you train people and assess your suppliers. It's about how you build in checks and conduct reviews, and how all of this comes together to form a holistic information security management system. Aside from taking more market share, what do all your larger and more progressive SaaS competitors have in common? They're all long since certified to international standards for information security.
They're better at winning deals
Holding ISO certification in the enterprise buying process is a tremendous advantage and your competitors are hammering you for this alone. It's an instant box tick on an RFP and a pretty important one at that.
Nowadays, SaaS buyers are expecting their vendors to be able to prove conformance to international standards for information security, and there are only two ways this can happen: either give them an ISO 27001 certificate, or let them conduct their own assessments of your business. This can involve lengthy security questionnaires, endless back and forth, and even an onsite audit. It's a lot of work for the buyer so guess which option they prefer? That's right - the one page certificate that makes everyone's job easier.
They have better hiring practices
Needless to say, ISO understands the importance of people to your organisation. Effective hiring starts with having clearly defined job descriptions mapped to roles, responsibilities and authorities. With a clear understanding of what the business needs, candidates can be accurately and fairly competency assessed.
This is followed by well thought out induction activities, job specific training and awareness programmes, and regular performance reviews. All of this ensures that not only are the best people hired for the job but that they are given the very best chance for success in their roles.
They have better suppliers
A company is usually only as good as its suppliers. Getting your suppliers wrong can have a cascading effect on the service that you provide to your customers. Imagine a scenario where you have integrated some critical service into your SaaS app and a year later that service provider goes out of business.
ISO requires that you thoroughly vet your suppliers to uncover any issues that may become problems now or down the line. It requires that you establish clear relationships with them that includes contracts, Service Level Agreements and regular supplier review activities. The end result is a company that has a supplier base with maturity, stability and one that conforms to international best practice.
They manage their risk better
The focal point of ISO management system standards is the identification, treatment and management of business risk. Until you actually sit down and conduct a proper risk assessment exercise you really don't know the extent to which your business can be harmed. Companies are surprisingly brittle. So many things can go wrong that can detrimentally impact your business.
ISO standards require that you identify all these factors and, wherever possible, put controls in place to reduce the likelihood of mistakes being made and things going wrong. When you get there, this is an incredibly powerful and liberating place to be. You can't account for every possible scenario, but you can certainly get a lot closer than you are right now.
They're more compliant
Being 'compliant' is an important part of running a SaaS business. By compliant, we don't simply mean compliance with say, an ISO standard. Compliance is far broader than ISO and includes all applicable laws and regulations that impact your business. It also includes voluntary commitments, organisational and industry standards, contractual relationships, employment agreements, codes of practice, service level agreements and other obligations.
ISO requires that you identify, document, monitor and regularly review all such compliance requirements to ensure that your business is in a continuous state of compliance. This means happier customers, employees, regulators and other stakeholders.
They're better prepared for the inevitable
As a SaaS business, especially one that is not certified to ISO, you are bound to suffer at least one major incident. This could be a serious platform outage, a security breach of customer data, a disaster impacting your place of business and others. Because your competitors are certified to ISO, they are already prepared for this. They have tried and tested plans in place to deal with such events.
This includes procedures around how they communicate with customers, how they bring failed systems back online, how they shift to alternative working arrangements, and how they handle the fallout. Given the alternative of crossing your fingers and winging it when disaster strikes, this is a powerful position to be in.
They're more knowledgeable
ISO management system standards are designed to retain important knowledge throughout all levels of your organisation. Key changes cannot be made without documenting the business case, rationale and implementation plans. Analysing and documenting lessons learned ensure that knowledge generally gained by experience is used and shared and doesn't leave with former employees.
Risk reviews, management reviews and internal audits all increase the flow and retention of important business knowledge. All of this leads to a more knowledgeable workforce. One that understands the value of knowledge and the difference its effective management can make in all areas of business.
They're better communicators
As mentioned already, ISO provides a playbook for how your company can operate in line with international standards. But to apply that playbook in practice, ISO understands that it requires effective communication with your stakeholders. This includes employees, customers, suppliers, partners, investors and other third parties.
ISO provides guidance and requirements around how you identify who to communicate with, and why you would be communicating with them in the first place. It goes further to help you determine what to communicate, when to communicate and how that communication takes place. All of this leads to an organisation that has a much greater understanding of the importance of effective communication, and in turn can communicate effectively.
Their customers are happier
ISO standards such as ISO 27001 for information security and ISO 9001 for quality management ultimately exist to make you a better supplier to your customers. Whether the customer is internal or external it doesn't really matter. With such a focus on the needs and concerns of your customers, how could they not be happier?
You could argue that your customers are already happy, without ISO certification. Of course that's probably the case. But could they be happier if, in addition to all that you are doing now, that you were also ISO certified?
They have less technical debt
We've written about how ISO certification helps SaaS companies better manage their technical debt. Managing technical debt isn't something SaaS founders, or even developers, typically think about, especially those that have never experienced the impact it can have. When left unchecked, technical debt poses a serious problem for your business.
ISO helps you implement processes to identify the specific risks that unmanaged technical debt present, and put in place controls to mitigate and manage those risks. The result is a company that deeply understands technical debt, knows how to address it, monitor it, and ensure that it never gets out of hand.
They're improving faster
A cornerstone of every ISO management system standard is the concept of continuous improvement. We've referred to ISO standards earlier as being like a playbook, or a set of best practice processes. Think of ISO now like a big cylindrical drum that's constantly revolving. Everything that gets put into that drum is first planned, then it's done, then it's checked, any issues are corrected and improvements are made in time for the next revolution.
With ISO, continuous improvement is not an event or something that is done at a predetermined point in time. It's happening constantly as part of standard operating procedure. And it's limitless. How can you compete with this?
They're better looking
Fact. Just scroll down and look at the author of this article! Employees of ISO certified companies are less stressed, sleep better and have more time to innovate. Why? Because they are on top of things. They don't stay awake at night worrying about a security breach or how unprepared they are for the next PaaS outage. They don't waste time reinventing the wheel each time they need to conduct a business process. They don't get stressed having to complete 200-question security questionnaires.
They spend more time doing the work they love, and their happier customers make them happy too. Less stress, more sleep and greater job satisfaction all lead to better skin complexion, fewer wrinkles, brighter eyes and an all round healthier physique.
After reading this article you may be feeling indifferent, disheartened or invigorated. If feeling indifferent, then you're either already ISO certified or you'll probably never be and will be that company that is forever in your competitors' dust.
If you're feeling disheartened, remember that ISO certification is attainable by any size or type of organisation. It's entirely within your reach and all it takes is a decision, commitment and some hard work.
If you're feeling invigorated then good for you. You should be. In fact you should also feel a little annoyed that you haven't addressed this before now and have allowed your competitors to gain so much ground!
If you are in either of the latter two camps then let's talk. ISO is not an easy process, but Upscaler makes ISO implementation the easiest it can be. We give you all the tools, documentation and support that you need to implement ISO and ace your audit.